HIVE-29606: Support SSL include protocols and cipher suites for Hive Metastore (apache#6476)

Author: VenuReddy2103

standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java

@@ -535,6 +535,9 @@ private Map<String, String> getAdditionalHeaders() {
     Map<String, String> headers = new HashMap<>();
     String keyValuePairs = MetastoreConf.getVar(conf,
         MetastoreConf.ConfVars.METASTORE_CLIENT_ADDITIONAL_HEADERS);
+    if (keyValuePairs.isEmpty()) {
+      return headers;
+    }
     try {
       String[] headerKeyValues = keyValuePairs.split(",");
       for (String header : headerKeyValues) {
@@ -575,9 +578,11 @@ private THttpClient createHttpClient(URI store, boolean useSSL) throws MetaExcep
         String trustStorePassword = MetastoreConf.getPassword(conf, MetastoreConf.ConfVars.SSL_TRUSTSTORE_PASSWORD);
         String trustStoreType = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_TRUSTSTORE_TYPE).trim();
         String trustStoreAlgorithm = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_TRUSTMANAGERFACTORY_ALGORITHM).trim();
+        String includeProtocols = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_PROTOCOLS);
+        String includeCipherSuites = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_CIPHERSUITES);
         tHttpClient =
             SecurityUtils.getThriftHttpsClient(httpUrl, trustStorePath, trustStorePassword, trustStoreAlgorithm,
-                trustStoreType, httpClientBuilder);
+                trustStoreType, includeProtocols, includeCipherSuites, httpClientBuilder);
       } else {
         tHttpClient = new THttpClient(httpUrl, httpClientBuilder.build());
       }
@@ -659,8 +664,11 @@ private TTransport createBinaryClient(URI store, boolean useSSL) throws TTranspo
             MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_TRUSTSTORE_TYPE).trim();
         String trustStoreAlgorithm =
             MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_TRUSTMANAGERFACTORY_ALGORITHM).trim();
+        String includeProtocols = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_PROTOCOLS);
+        String includeCipherSuites = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_CIPHERSUITES);
         binaryTransport = SecurityUtils.getSSLSocket(store.getHost(), store.getPort(), clientSocketTimeout,
-            connectionTimeout, trustStorePath, trustStorePassword, trustStoreType, trustStoreAlgorithm);
+            connectionTimeout, trustStorePath, trustStorePassword, trustStoreType, trustStoreAlgorithm,
+            includeProtocols, includeCipherSuites);
       } else {
         binaryTransport = new TSocket(new TConfiguration(), store.getHost(), store.getPort(),
             clientSocketTimeout, connectionTimeout);

standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java

@@ -1491,6 +1491,10 @@ public enum ConfVars {
             "Metastore SSL certificate truststore type."),
     SSL_TRUSTMANAGERFACTORY_ALGORITHM("metastore.trustmanagerfactory.algorithm", "hive.metastore.trustmanagerfactory.algorithm", "",
             "Metastore SSL certificate truststore algorithm."),
+    SSL_INCLUDE_PROTOCOLS("metastore.include.protocols", "hive.metastore.include.protocols", "",
+        "Comma-separated list of SSL protocols to include for the Metastore."),
+    SSL_INCLUDE_CIPHERSUITES("metastore.include.ciphersuites", "hive.metastore.include.ciphersuites", "",
+        "Colon-separated list of cipher suite names to include for the Metastore."),
     STATS_AUTO_GATHER("metastore.stats.autogather", "hive.stats.autogather", true,
         "A flag to gather statistics (only basic) automatically during the INSERT OVERWRITE command."),
     STATS_FETCH_BITVECTOR("metastore.stats.fetch.bitvector", "hive.stats.fetch.bitvector", false,

standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/utils/SecurityUtils.java

@@ -25,6 +25,9 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import javax.net.ssl.SSLContext;
+
+import com.google.common.base.Splitter;
+import com.google.common.collect.Iterables;
 import org.apache.hadoop.hive.metastore.api.MetaException;
 import org.apache.hadoop.hive.metastore.security.DelegationTokenIdentifier;
 import org.apache.hadoop.hive.metastore.security.DelegationTokenSelector;
@@ -62,14 +65,15 @@
 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
 import java.io.IOException;
 import java.net.InetSocketAddress;
-import java.net.UnknownHostException;
 import java.security.KeyStore;
 
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 public class SecurityUtils {
   private static final Logger LOG = LoggerFactory.getLogger(SecurityUtils.class);
@@ -278,17 +282,61 @@ public static TServerSocket getServerSocket(String hiveHost, int portNum) throws
     return new TServerSocket(serverAddress);
   }
 
+  public static String[] parseIncludeProtocols(String protocols) {
+    return Iterables.toArray(Splitter.on(",").trimResults().omitEmptyStrings()
+        .split(protocols), String.class);
+  }
+
+  public static String[] parseIncludeCipherSuites(String cipherSuites) {
+    return Iterables.toArray(Splitter.on(":").trimResults().omitEmptyStrings()
+        .split(cipherSuites), String.class);
+  }
+
+  private static String[] filterEnabledProtocols(String[] enabledProtocols,
+      String includeProtocols) throws TTransportException {
+    String[] filteredProtocols = enabledProtocols;
+    String[] parsedIncludeProtocols = parseIncludeProtocols(includeProtocols);
+    if (parsedIncludeProtocols.length > 0) {
+      Set<String> protocolsLowerCase = Arrays.stream(parsedIncludeProtocols).map(String::toLowerCase)
+          .collect(Collectors.toSet());
+      filteredProtocols = Arrays.stream(enabledProtocols).filter(protocol ->
+          protocolsLowerCase.contains(protocol.toLowerCase())).toArray(String[]::new);
+    }
+    if (filteredProtocols.length == 0) {
+      throw new TTransportException("No TLS protocols to enable. "
+          + "Protocols configured to include: " + Arrays.toString(parsedIncludeProtocols)
+          + ", Protocols allowed to enable: " + Arrays.toString(enabledProtocols));
+    }
+    return filteredProtocols;
+  }
+
+  private static TSSLTransportFactory.TSSLTransportParameters getSSLTransportParameters(boolean isKeyStore,
+      String storePath, String storePassword, String storeAlgorithm, String storeType, String includeCipherSuites) {
+    TSSLTransportFactory.TSSLTransportParameters params;
+    String[] parsedCipherSuites = parseIncludeCipherSuites(includeCipherSuites);
+    if (parsedCipherSuites.length > 0) {
+      params = new TSSLTransportFactory.TSSLTransportParameters("TLS", parsedCipherSuites);
+    } else {
+      params = new TSSLTransportFactory.TSSLTransportParameters();
+    }
+    if (isKeyStore) {
+      params.setKeyStore(storePath, storePassword, storeAlgorithm, storeType);
+    } else {
+      params.setTrustStore(storePath, storePassword, storeAlgorithm, storeType);
+      params.requireClientAuth(true);
+    }
+    return params;
+  }
+
   public static TServerSocket getServerSSLSocket(String hiveHost, int portNum, String keyStorePath,
-      String keyStorePassWord, String keyStoreType, String keyStoreAlgorithm, List<String> sslVersionBlacklist)
-      throws TTransportException, UnknownHostException {
-    TSSLTransportFactory.TSSLTransportParameters params =
-        new TSSLTransportFactory.TSSLTransportParameters();
-    String kStoreType = keyStoreType.isEmpty()? KeyStore.getDefaultType() : keyStoreType;
-    String kStoreAlgorithm = keyStoreAlgorithm.isEmpty()?
-            KeyManagerFactory.getDefaultAlgorithm() : keyStoreAlgorithm;
-    params.setKeyStore(keyStorePath, keyStorePassWord, kStoreAlgorithm, kStoreType);
+      String keyStorePassWord, String keyStoreType, String keyStoreAlgorithm, List<String> sslVersionBlacklist,
+      String includeProtocols, String includeCipherSuites) throws TTransportException {
+    TSSLTransportFactory.TSSLTransportParameters params = getSSLTransportParameters(true,
+        keyStorePath, keyStorePassWord,
+        keyStoreAlgorithm.isEmpty() ? KeyManagerFactory.getDefaultAlgorithm() : keyStoreAlgorithm,
+        keyStoreType.isEmpty() ? KeyStore.getDefaultType() : keyStoreType, includeCipherSuites);
     InetSocketAddress serverAddress;
-    if (hiveHost == null || hiveHost.isEmpty()) {
+    if (StringUtils.isEmpty(hiveHost)) {
       // Wildcard bind
       serverAddress = new InetSocketAddress(portNum);
     } else {
@@ -310,7 +358,12 @@ public static TServerSocket getServerSSLSocket(String hiveHost, int portNum, Str
           enabledProtocols.add(protocol);
         }
       }
-      sslServerSocket.setEnabledProtocols(enabledProtocols.toArray(new String[0]));
+      if (enabledProtocols.isEmpty()) {
+        throw new TTransportException("No TLS protocols to enable after discarding configured blacklist protocols. "
+            + "Protocols allowed to enable: " + Arrays.toString(sslServerSocket.getEnabledProtocols()));
+      }
+      sslServerSocket.setEnabledProtocols(filterEnabledProtocols(enabledProtocols.toArray(String[]::new),
+          includeProtocols));
       LOG.info("SSL Server Socket Enabled Protocols: "
           + Arrays.toString(sslServerSocket.getEnabledProtocols()));
     }
@@ -319,18 +372,16 @@ public static TServerSocket getServerSSLSocket(String hiveHost, int portNum, Str
 
   public static TTransport getSSLSocket(String host, int port, int socketTimeout, int connectionTimeout,
       String trustStorePath, String trustStorePassWord, String trustStoreType,
-      String trustStoreAlgorithm) throws TTransportException {
-    TSSLTransportFactory.TSSLTransportParameters params =
-        new TSSLTransportFactory.TSSLTransportParameters();
-    String tStoreType = trustStoreType.isEmpty()? KeyStore.getDefaultType() : trustStoreType;
-    String tStoreAlgorithm = trustStoreAlgorithm.isEmpty()?
-        TrustManagerFactory.getDefaultAlgorithm() : trustStoreAlgorithm;
-    params.setTrustStore(trustStorePath, trustStorePassWord,
-        tStoreAlgorithm, tStoreType);
-    params.requireClientAuth(true);
+      String trustStoreAlgorithm, String includeProtocols, String includeCipherSuites) throws TTransportException {
+    TSSLTransportFactory.TSSLTransportParameters params = getSSLTransportParameters(false,
+        trustStorePath, trustStorePassWord,
+        trustStoreAlgorithm.isEmpty() ? TrustManagerFactory.getDefaultAlgorithm() : trustStoreAlgorithm,
+        trustStoreType.isEmpty() ? KeyStore.getDefaultType() : trustStoreType, includeCipherSuites);
     // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT and
     // connection timeout and SSLContext created with the given params
     TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, socketTimeout, params);
+    SSLSocket sslSocket = (SSLSocket) (tSSLSocket.getSocket());
+    sslSocket.setEnabledProtocols(filterEnabledProtocols(sslSocket.getEnabledProtocols(), includeProtocols));
     tSSLSocket.setConnectTimeout(connectionTimeout);
     return getSSLSocketWithHttps(tSSLSocket);
   }
@@ -341,13 +392,17 @@ public static TTransport getSSLSocket(String host, int port, int socketTimeout,
    */
   public static THttpClient getThriftHttpsClient(String httpsUrl, String trustStorePath,
       String trustStorePasswd, String trustStoreAlgorithm, String trustStoreType,
+      String includeProtocols, String includeCipherSuites,
       HttpClientBuilder underlyingHttpClientBuilder) throws TTransportException, IOException,
       KeyStoreException, NoSuchAlgorithmException, CertificateException,
       KeyManagementException {
     Preconditions.checkNotNull(underlyingHttpClientBuilder, "httpClientBuilder should not be null");
     if (trustStoreType == null || trustStoreType.isEmpty()) {
       trustStoreType = KeyStore.getDefaultType();
     }
+    if (trustStoreAlgorithm.isEmpty()) {
+      trustStoreAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
+    }
     KeyStore sslTrustStore = KeyStore.getInstance(trustStoreType);
     try (FileInputStream fis = new FileInputStream(trustStorePath)) {
       sslTrustStore.load(fis, trustStorePasswd.toCharArray());
@@ -356,8 +411,18 @@ public static THttpClient getThriftHttpsClient(String httpsUrl, String trustStor
     SSLContext sslContext =
         SSLContexts.custom().setTrustManagerFactoryAlgorithm(trustStoreAlgorithm).
             loadTrustMaterial(sslTrustStore, null).build();
+    String[] protocols = null;
+    String[] parsedProtocols = parseIncludeProtocols(includeProtocols);
+    if (parsedProtocols.length > 0) {
+      protocols = parsedProtocols;
+    }
+    String[] ciphers = null;
+    String[] parsedCipherSuites = parseIncludeCipherSuites(includeCipherSuites);
+    if (parsedCipherSuites.length > 0) {
+      ciphers = parsedCipherSuites;
+    }
     SSLConnectionSocketFactory socketFactory =
-        new SSLConnectionSocketFactory(sslContext, new DefaultHostnameVerifier(null));
+        new SSLConnectionSocketFactory(sslContext, protocols, ciphers, new DefaultHostnameVerifier(null));
     final Registry<ConnectionSocketFactory> registry =
         RegistryBuilder.<ConnectionSocketFactory> create().register("https", socketFactory)
             .build();

standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java

@@ -556,9 +556,12 @@ private static ThriftServer startBinaryMetastore(int port, HadoopThriftAuthBridg
       for (String sslVersion : MetastoreConf.getVar(conf, ConfVars.SSL_PROTOCOL_BLACKLIST).split(",")) {
         sslVersionBlacklist.add(sslVersion);
       }
+      String includeProtocols = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_PROTOCOLS);
+      String includeCipherSuites = MetastoreConf.getVar(conf, ConfVars.SSL_INCLUDE_CIPHERSUITES);
 
       serverSocket = SecurityUtils.getServerSSLSocket(msHost, port, keyStorePath,
-          keyStorePassword, keyStoreType, keyStoreAlgorithm, sslVersionBlacklist);
+          keyStorePassword, keyStoreType, keyStoreAlgorithm, sslVersionBlacklist,
+          includeProtocols, includeCipherSuites);
     }
 
     ExecutorService executorService = new ThreadPoolExecutor(minWorkerThreads, maxWorkerThreads,

standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ServletSecurity.java

@@ -21,6 +21,8 @@
 import static javax.ws.rs.core.HttpHeaders.WWW_AUTHENTICATE;
 
 import com.google.common.base.Preconditions;
+
+import java.security.KeyStore;
 import java.util.List;
 import java.util.function.Function;
 import org.apache.hadoop.conf.Configuration;
@@ -30,6 +32,7 @@
 import org.apache.hadoop.hive.metastore.auth.oauth2.OAuth2AuthenticatorFactory;
 import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
 import org.apache.hadoop.hive.metastore.utils.MetaStoreUtils;
+import org.apache.hadoop.hive.metastore.utils.SecurityUtils;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
@@ -39,6 +42,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.net.ssl.KeyManagerFactory;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -359,16 +363,27 @@ static SslContextFactory createSslContextFactory(Configuration conf) throws IOEx
     if (LOG.isInfoEnabled()) {
       LOG.info("HTTP Server SSL: adding excluded protocols: {}", Arrays.toString(excludedProtocols));
     }
+    String[] includeProtocols = SecurityUtils.parseIncludeProtocols(
+        MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_PROTOCOLS));
+    String[] includeCipherSuites = SecurityUtils.parseIncludeCipherSuites(
+        MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_CIPHERSUITES));
     SslContextFactory factory = new SslContextFactory.Server();
+    if (includeProtocols.length > 0) {
+      factory.setIncludeProtocols(includeProtocols);
+    }
     factory.addExcludeProtocols(excludedProtocols);
     if (LOG.isInfoEnabled()) {
       LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = {}",
         Arrays.toString(factory.getExcludeProtocols()));
     }
     factory.setKeyStorePath(keyStorePath);
     factory.setKeyStorePassword(keyStorePassword);
-    factory.setKeyStoreType(keyStoreType);
-    factory.setKeyManagerFactoryAlgorithm(keyStoreAlgorithm);
+    factory.setKeyStoreType(keyStoreType.isEmpty() ? KeyStore.getDefaultType() : keyStoreType);
+    factory.setKeyManagerFactoryAlgorithm(keyStoreAlgorithm.isEmpty() ?
+        KeyManagerFactory.getDefaultAlgorithm() : keyStoreAlgorithm);
+    if (includeCipherSuites.length > 0) {
+      factory.setIncludeCipherSuites(includeCipherSuites);
+    }
     return factory;
   }
 }

standalone-metastore/metastore-tools/tools-common/src/main/java/org/apache/hadoop/hive/metastore/tools/HMSClient.java

@@ -456,10 +456,12 @@ private TTransport open(Configuration conf, @NotNull URI uri) throws
               MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_TRUSTSTORE_TYPE).trim();
       String trustStoreAlgorithm =
               MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_TRUSTMANAGERFACTORY_ALGORITHM).trim();
-
+      String includeProtocols = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_PROTOCOLS);
+      String includeCipherSuites = MetastoreConf.getVar(conf, MetastoreConf.ConfVars.SSL_INCLUDE_CIPHERSUITES);
       // Create an SSL socket and connect
       transport = SecurityUtils.getSSLSocket(host, port, clientSocketTimeout, connectionTimeout,
-          trustStorePath, trustStorePassword, trustStoreType, trustStoreAlgorithm);
+          trustStorePath, trustStorePassword, trustStoreType, trustStoreAlgorithm,
+          includeProtocols, includeCipherSuites);
       LOG.info("Opened an SSL connection to metastore, current connections");
     }